Lucene search

China National Vulnerability DatabaseCNVD-2022-56972

HistoryAug 04, 2022 - 12:00 a.m.

IBM DataPower Gateway Cross-Site Scripting Vulnerability (CNVD-2022-56972)

2022-08-0400:00:00

China National Vulnerability Database

www.cnvd.org.cn

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

JSON

IBM DataPower Gateway is a set of security and integration platforms from IBM USA designed specifically for mobile, cloud, application programming interface (API), web, service-oriented architecture (SOA), B2B, and cloud workloads. The platform protects, integrates, and optimizes access across channels using a dedicated gateway platform.A cross-site scripting vulnerability exists in IBM DataPower Gateway, which stems from the program’s lack of data validation filtering of user-provided data and output. An attacker could exploit the vulnerability to embed arbitrary JavaScript code in the Web UI to alter the intended functionality, which could lead to credential disclosure in a trusted session.

CPENameOperatorVersion
IBM DataPower Gateway >=10.0.1.0，<=10.eq0.1.8
IBM DataPower Gateway 10.eq5.0.0
IBM DataPower Gateway >=2018.4.1.0，<=2018.eq4.1.21
IBM datapower gateway continuous delivery >=10.0.2.0，<10.eq5.0.1

Name	Operator	Version
IBM DataPower Gateway >=10.0.1.0，<=10.	eq	0.1.8
IBM DataPower Gateway 10.	eq	5.0.0
IBM DataPower Gateway >=2018.4.1.0，<=2018.	eq	4.1.21
IBM datapower gateway continuous delivery >=10.0.2.0，<10.	eq	5.0.1